Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.
AnalysisAI
An incomplete Server-Side Request Forgery (SSRF) mitigation in Wallos, a self-hostable subscription tracker, allows authenticated attackers to bypass security controls and force the application to make requests to internal or private IP addresses. Wallos versions prior to 4.7.0 are affected. The vulnerability occurs because SSRF validation was added to test notification endpoints but not the corresponding save endpoints, enabling attackers to store malicious URLs that execute without validation when the cron job runs. No active exploitation (KEV) or public POC is currently documented.
Technical ContextAI
Wallos is a PHP-based open-source subscription tracking application identified by CPE cpe:2.3:a:ellite:wallos. This vulnerability is classified under CWE-918 (Server-Side Request Forgery), a security weakness where an attacker can abuse server-side functionality to make HTTP requests to arbitrary destinations. The issue stems from an incomplete fix for previous SSRF vulnerabilities (CVE-2026-30839 and CVE-2026-30840). While version 4.6.2 introduced the validate_webhook_url_for_ssrf() function to protect test notification endpoints, the developers failed to apply the same validation to the save notification endpoints. When authenticated users configure notification webhooks and save them through unprotected endpoints, these URLs bypass SSRF checks. The vulnerability materializes when the sendnotifications.php cron job executes, sending requests to the stored URLs without any validation, potentially targeting internal network resources, cloud metadata services, or other restricted endpoints.
RemediationAI
Upgrade Wallos to version 4.7.0 or later, which includes the complete SSRF validation fix as documented in the GitHub security advisory at https://github.com/ellite/Wallos/security/advisories/GHSA-mfjc-3258-cq3j. The specific patch commit can be reviewed at https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef. Until patching is completed, implement compensating controls including restricting the application's outbound network access using firewall rules or network segmentation to prevent connections to internal IP ranges (RFC 1918 addresses, link-local addresses, localhost), cloud metadata endpoints (169.254.169.254), and other sensitive internal resources. Review existing notification webhook configurations for any suspicious internal IP addresses or localhost references that may have been saved by authenticated users. Consider implementing additional application-level authentication and authorization controls to limit which users can configure notification webhooks.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14945